This was found through a coverity scan of the mozilla source; see <http://scan.coverity.com/>. See |_cairo_output_stream_create_for_file| in cairo-output-stream.c. If |_cairo_output_stream_create| returns NULL, it's dereferenced following the |fclose| call.
This is now fixed in cairo 1.1.1 and 1.0.3. -Carl diff-tree c780f4a5624f27a6cbf7829e10e8cd3544ae4f38 (from 92e09ee72fdde9059300b2b63d87e2bbd4286605) Author: Carl Worth <cworth@cworth.org> Date: Mon Mar 13 12:05:13 2006 -0800 cairo-output-stream: Don't dereference a NULL pointer due to OOM. This close bug #6176: Null pointer dereference on OOM in _cairo_output_stream_create_for_file() https://bugs.freedesktop.org/show_bug.cgi?id=6176 diff --git a/src/cairo-output-stream.c b/src/cairo-output-stream.c index a6db091..b07423c 100644 --- a/src/cairo-output-stream.c +++ b/src/cairo-output-stream.c @@ -305,9 +305,11 @@ _cairo_output_stream_create_for_file (co return NULL; stream = _cairo_output_stream_create (stdio_write, fp); - if (stream == NULL) + + if (stream) + stream->owns_closure_is_file = TRUE; + else fclose (fp); - stream->owns_closure_is_file = TRUE; return stream; }
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.